SPF (Sender Policy Framework, RFC 7208) authorizes specific servers to send mail for your domain. When you start sending through Mailgun, you must publish a single SPF record at your domain apex that includes Mailgun's sending infrastructure — otherwise the messages will fail SPF, your DMARC checks will fail, and your mail will land in spam or be rejected outright.
If you already publish SPF for another sender (Google Workspace for inbound, a marketing tool, your CRM), do not publish a second record. Merge the new include into the existing record. RFC 7208 §3 forbids multiple SPF records on the same name and receivers MUST return permerror when they see one.
Publish these DNS records
Add the following record(s) to your domain's DNS zone. Most registrars (Cloudflare, Route 53, Namecheap, GoDaddy) accept values exactly as shown.
- Type
TXT- Host
@- Value
v=spf1 include:mailgun.org ~all
- Mailgun supports either apex sending or a subdomain. For apex sending, the SPF record above goes on the apex.
- For subdomain sending (e.g. `mg.your-domain.com`), publish the SPF on the subdomain instead and leave the apex untouched.
Where in Mailgun
The SPF configuration lives in Mailgun → Sending → Domains → <your-domain> → DNS records.
Verify the records
Once published, run the SPF Checker on your domain to verify the lookup chain expands cleanly and stays under the 10-DNS-lookup limit.
dig +short TXT your-domain.comCommon pitfalls
- Mailgun's EU and US regions have different DNS values (different MX hosts for inbound, different DKIM key hosts). Make sure you're following docs for the region your account is in.
- Older Mailgun guides reference `domainkey` selectors literally; current accounts use the selector you chose in the dashboard.